[ On Friday, August 11, 2000 at 10:33:51 (-0400), Justin Wells wrote: ]
> Subject: Re: cvs-nserver and latest CVS advisory
>
> Wrong again. When pserver is authenticating with real Unix uid's there is
> no way for someone to fool CVS into changing their UID. CVS can't do it.
Have you forgotten that cvspserver offers almost zero integrity on the
link thus making it trivial for you to authorise any random hacker --
I.e. there is no strong authentication in cvspserver. It does not
matter whether you map cvspserver users onto system userids -- their
identity is still unauthenticated even though it may be authorised!
Knowing a clear-text password is not "authentication" of any sort!
I.e. cvspserver has zero security outside of a private secure LAN!
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
- Re: cvs-nserver and latest CVS advisory Noel L Yap
- Re: cvs-nserver and latest CVS advisory Justin Wells
- Re: cvs-nserver and latest CVS advisory Noel L Yap
- Re: cvs-nserver and latest CVS advisory Eivind Eklund
- Re: cvs-nserver and latest CVS advisory Justin Wells
- Re: cvs-nserver and latest CVS advisory Greg A. Woods
- Re: cvs-nserver and latest CVS advisory Justin Wells
- Re: cvs-nserver and latest CVS advisory Greg A. Woods
- Re: cvs-nserver and latest CVS advisory David Thornley
- Re: cvs-nserver and latest CVS advisory Greg A. Woods
- Re: cvs-nserver and latest CVS adviso... Justin Wells
- Re: cvs-nserver and latest CVS ad... Greg A. Woods
- Re: cvs-nserver and latest CVS advisory Noel L Yap
- Re: cvs-nserver and latest CVS advisory Justin Wells
- Re: cvs-nserver and latest CVS advisory Noel L Yap
- Re: cvs-nserver and latest CVS advisory Noel L Yap
- cvspserver has no security to start with.... Greg A. Woods
